Updates

February 13, 2018
• admin

Data Diode for ICS: how to use it for protecting assets

It all comes down to segregation when protecting your assets for your industrial control systems (ICS). Ideally you would like your plant and office network, or different parts within the plant, to communicate with each other in an absolutely secure way. That’s where the data diode comes in. But how do you use a data diode for your ICS?

There are different reasons why the IT (office network) and OT (Industrial Control System) of a critical infrastructure environment should not be integrated and why an air gap or firewall doesn’t offer sufficient protection for your assets. A data diode is the only way to exclude online or digital attacks and it is the only solution that guarantees a one-way connection on a physical level, since it doesn’t contain software; it’s a carefully configured piece of hardware.

Two-way becomes one-way

The essence of a data diode lies in the fact that the hardware enforces one-way traffic on a particular connection. The unidirectional property is assured on the physical layer. This means there’s no possibility for human errors or misconfigurations, whether by accident or intentional.

The challenge is that most network protocols require two-way communication. You resolve this by equipping the data diode with proxies. This way you can convert all kinds of network traffic into a proprietary, reliable one-way protocol, and vice-versa. Take OPC or Modbus, for example. The data is received by the proxy on the ICS network and then transmitted to the corporate network proxy where it is then made available.

Plug and play security

A data diode set-up is essentially a stackable system. At the heart is the data diode, a solution for connecting otherwise separated networks. After installing the hardware and connecting the cables, the data can only flow in one way per definition. Afterwards you can’t ‘configure’, or in other words change, in which way the data will flow in order to protect your assets.

Historians

So, now you have created this unidirectional communication flow, but what about the data historians? Perhaps you work with OSIsoft Pi, Honeywell, Yokogawa or Wonderware to store your production data. You may want to access them from both the plant floor as well as the corporate departments. However, there’s no need to create an open connection between both networks.

By duplicating historian data from a historian server in the ICS production environment to a historian server in the corporate environment, you don’t have to provide a DMZ or two-way network communication. The historian is placed between the production systems or workstations and the proxy servers. The replica which is placed on the IT side of the data diode operates in real-time and is updated with live data. The result: corporate network users can access information without endangering the critical infrastructure systems.

Central monitoring station

Larger companies may operate from multiple sites. If that’s the case, it is crucial the networks on all sites are secured and can be monitored from a central location.

With a real-time one-way connection, it is possible to send data from the OT environment into a so called SIEM (Security Information and Event Management) in the IT. The SIEM function centralizes all security event logs and since that ensures correlations between events from multiple plants, it enhances the analysis.